Fedora has issued an advisory on April 8: https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131842.html Looks like we missed this one before. I'm not sure if the CVE-2014-270[89] issues are the same as were previously fixed in Bug 10951. They sound similar, but Bug 10951 made it sound like they were fixed in 0.8.8b, but Fedora apparently added additional patches on top of that version. Debian has issued an advisory for this on June 29: https://www.debian.org/security/2014/dsa-2970 It lists an additional CVE, CVE-2014-4002. Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
LWN reference for CVE-2014-4002: http://lwn.net/Vulnerabilities/604682/
Patches has been added in cacti-0.8.8b-4.mga5 and cacti-0.8.8b-3.1.mga4 that fixes: CVE-2014-2326, CVE-2014-2328, CVE-2014-2708, CVE-2014-2709, CVE-2014-4002
Thanks Oden. Advisory: ======================== Updated cacti package fixes security vulnerabilities: Multiple security issues (cross-site scripting, cross-site request forgery, SQL injections, missing input sanitising) have been found in Cacti (CVE-2014-2326, CVE-2014-2328, CVE-2014-2708, CVE-2014-2709, CVE-2014-4002). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2326 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2328 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2708 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2709 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4002 https://www.debian.org/security/2014/dsa-2970 ======================== Updated packages in core/updates_testing: ======================== cacti-0.8.8b-3.1.mga4 from cacti-0.8.8b-3.1.mga4.src.rpm
Version: Cauldron => 4Assignee: oe => qa-bugsWhiteboard: MGA4TOO => (none)
Procedures can be found at: http://www.cacti.net/downloads/docs/html/unix_configure_cacti.html Once installed you can browse to http://localhost/cacti and look at the graphs, use the console to add more graphs or other devices.
CC: (none) => dpremyWhiteboard: (none) => has_procedure
Testing on mga4-64. Installed cacti-0.8.8b-3.mga4 and use the default config with a few other devices added from my network. Upgraded to cacti-0.8.8b-3.1.mga4 and all features tested worked as expected. Could not reproduce security vuln but will add ok.
Whiteboard: has_procedure => has_procedure mga4-64-ok
Same tests done on mga4-32 as I did with mga-64 with no issues. Marking ok.
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok mga4-32-ok
Validating now so it doesn't get missed. The advisory still needs to be uploaded. Sysadmins, please push this to updates for Mageia 4.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
CC: (none) => remiWhiteboard: has_procedure mga4-64-ok mga4-32-ok => has_procedure mga4-64-ok mga4-32-ok advisory
Update pushed http://advisories.mageia.org/MGASA-2014-0302.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED